Qemu vs sstrip

Qemu usually does a great job emulating embedded Linux applications, but as with anything you will occasionally run into bugs. While attempting to debug an embedded application in Qemu the other day, I ran into the following error:

Sure enough, the section headers had been stripped out of the ELF binary. This is commonly done by tools such as sstrip in order to save precious storage space on embedded devices, and since section headers are not required in order to execute the program this shouldn’t prevent Qemu from loading the binary.

A quick grep of Qemu’s source quickly found the culprit in linux-user/elfload.c:

Even though section headers aren’t required to load an ELF file, the elf_check_ehdr function expects the section header size to equal the size of the elf_shdr structure; simply commenting out this line and re-compiling did the trick:

5 Responses to Qemu vs sstrip

Hello, I was wondering if you could give me some advice as to how to extract the modified SquashFS used in some of the Belkin modem/router combos. These seem to be using the same format, but I have linked both for the sake of completeness.

The Squashfs header that is being matched is ‘shsq’, which none of the unsquashfs tools in firmware-mod-kit understand. I have tried patching ‘shsq’ to the other standard Squashfs magic codes, but unsquashfs is still failing.

I have sent a request to Belkin for the modified source code under GPL, but they have yet to respond. They do have a GPL compliant source code page, but none of the F7D models are on it right now.http://www.belkin.com/support/opensource/

They finally got back to me with the response:
“We are really sorry to inform you that we don’t have any new firmware or any open source development for the router available and as of now. if we do have any update we will update that on the http://belkin.com/support”

Don’t they have to release the GPL code when asked? I suppose this could have been a simple tech support guy that doesn’t know the licenses.

I ran into this same problem today, using qemu-mips version 2.0.0. So apparently the “bug” has not been through yet or has maybe been rejected in the process.

Anyways, I used another way to circumvent the same issue: simply modify the executable itself to report a non zero section_header_size. (the number of section headers stays at 0, so there is no wrongdoing here).
So practically, I used xxd then xxd -r to change the byte at offset 0x2f to read 40(0x28) instead of 0.

Of course, with this method, one need to fix each and every executable (i am guessing all the dependent shared objects as well), which can be pretty unconvenient depending on your scenario.